[PATCH] scsi: target: Add a check to prevent the use of a NULL pointer

[Ваторопин Андрей]

From: Andrey Vatoropin <a.vatoropin@xxxxxxx>

Some functions accept a string input parameter, which is then passed to
strscpy(). If strscpy() returns zero the (len > 0) branch is not taken and
`stripped` remains NULL. The subsequent check (len < 0 || len >
INQUIRY_VENDOR_LEN) does not catch this case, allowing a NULL `stripped`
pointer to be passed to target_check_inquiry_data().

Therefore, the existing checks are insufficient to prevent the use of a
NULL pointer when an empty string is passed.

Add exclusion of zero-length strings to avoid dereferencing a NULL
`stripped` pointer.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
       
Fixes: 54a6f3f6a43c ("scsi: target: add device vendor_id configfs attribute")
Signed-off-by: Andrey Vatoropin <a.vatoropin@xxxxxxx>
---
 drivers/target/target_core_configfs.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
index a1c91d4515bc..3aaa2b931009 100644
--- a/drivers/target/target_core_configfs.c
+++ b/drivers/target/target_core_configfs.c
@@ -1455,6 +1455,10 @@ static ssize_t target_wwn_vendor_id_store(struct config_item *item,
 			"\n");
 		return -EOVERFLOW;
 	}
+	if (len == 0) {
+		pr_err("Emulated T10 Vendor Identification equals zero.\n");
+		return -EINVAL;
+	}
 
 	ret = target_check_inquiry_data(stripped);
 
@@ -1511,6 +1515,10 @@ static ssize_t target_wwn_product_id_store(struct config_item *item,
 			"\n");
 		return -EOVERFLOW;
 	}
+	if (len == 0) {
+		pr_err("Emulated T10 Vendor equals zero.\n");
+		return -EINVAL;
+	}
 
 	ret = target_check_inquiry_data(stripped);
 
@@ -1567,6 +1575,10 @@ static ssize_t target_wwn_revision_store(struct config_item *item,
 			"\n");
 		return -EOVERFLOW;
 	}
+	if (len == 0) {
+		pr_err("Emulated T10 Revision equals zero.\n");
+		return -EINVAL;
+	}
 
 	ret = target_check_inquiry_data(stripped);
 
-- 
2.43.0